Server-assisted secure exponentiation

ABSTRACT

In one embodiment, a method for secure computation, includes receiving in a server, over a communication channel from a device external to the server a request to perform a modular exponentiation operation in which an exponent of the operation comprises a secret value, wherein the secret value is not provided to the server, and at least two parameters that encode the secret value in accordance with a polynomial or matrix homomorphic encryption of the secret value computed by the device, and performing in the server, in response to the request, a homomorphic exponentiation using the at least two parameters received from the device without decrypting the secret value in the server, so as to generate an output that is indicative of a result of the modular exponentiation operation.

RELATED APPLICATION INFORMATION

The present application claims priority from Israel Patent Application S/N 239102 of Cisco Technologies Inc. filed on 31 May 2015.

TECHNICAL FIELD

The present disclosure relates generally to cryptography, and particularly to systems and methods for execution of computations using secret values by an untrusted computer.

BACKGROUND

Homomorphic encryption is a form of encryption that allows computations to be carried out on ciphertext, thus generating an encrypted result which, when decrypted, matches the result of operations performed on the plaintext. Using homomorphic encryption, for instance, one computer could add two encrypted numbers, and then another computer could decrypt the result, without either of them being able to find the values of the individual numbers.

A variety of homomorphic encryption systems are known in the art. For example, PCT International Publication WO 2014/016795, describes a practical, fully-homomorphic encryption system for specific data in Z_(N) (wherein Z_(N) is the ring of residues modulo N, and N is factored by two primes, p and q). The system can be used in fully-homomorphic methods for practical randomization of data (over a commutative ring), as well as symmetric encryption of mod-N data over the ring Z_(N). It can be used to secure, for example, the multivariate input or the coefficients of a public polynomial function for running in an open, untrusted environment.

The methods disclosed in the above-mentioned PCT publication are said to enable the use of low-cost collaborative security platforms for applications such as keyed-hash or private-key derivation algorithms. Such a platform may comprise a low-cost (and low-performance) security element, supported by an untrusted high-performance server running the homomorphic algorithms. It is shown in the publication that random plaintext data is a sufficient condition for proof of security of the homomorphic encryption.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure will be more fully understood from the following detailed description of the embodiments thereof, taken together with the drawings in which:

FIG. 1 is a block diagram that schematically illustrates a system for secure computation using homomorphic encryption, in accordance with an embodiment of the present disclosure;

FIG. 2 is a flow chart that schematically illustrates a method for secure exponentiation using homomorphic encryption, in accordance with an embodiment of the present disclosure;

FIG. 3 is a communication flow diagram that schematically illustrates a method for cryptographic key exchange using homomorphic encryption, in accordance with an embodiment of the present disclosure; and

FIG. 4 is a flow chart that schematically illustrates a method for key pair computation, in accordance with an embodiment of the disclosure.

DESCRIPTION OF EXAMPLE EMBODIMENTS Overview

There is therefore provided, in accordance with an embodiment of the disclosure, a method for secure computation, which includes receiving in a server, over a communication channel from a device external to the server, a request to perform a modular exponentiation operation in which an exponent of the operation includes a secret value, which is not provided to the server, and at least two parameters that encode the secret value in accordance with a polynomial homomorphic encryption of the secret value computed by the device. The server performs, in response to the request, a homomorphic exponentiation using the parameters received from the device without decrypting the secret value in the server, so as to generate an output that is indicative of a result of the modular exponentiation operation.

There is also provided, in accordance with an embodiment of the disclosure, a method for secure key exchange between first and second peer devices, which respectively hold first and second secret values, a and b. The method includes computing in the first peer device an encryption of the first secret value a so as to generate encryption parameters that encode the first secret value, and conveying the encryption parameters over a communication channel to a server, which does not have access to either of the first and second secret values a and b. A first base value g^(a), equal to a public value g raised to a first power equal to the first secret value a, is computed and conveyed to the second peer device, which raises the first base value to a second power equal to the second secret value b in order to generate a session key g^(ab). (The computations are typically performed in modular arithmetic, with a base N=p·g, as is known in the art.) The server receives a second base value g^(b) computed by the second peer device by raising the public value g to the second power. A homomorphic exponentiation is computed in the server using the encryption parameters and the second base value g^(b), so as to generate an output HE(g^(ab)) that is indicative of the session key. The output is conveyed from the server over the communication channel to the first peer device, which applies a polynomial homomorphic decryption to the output conveyed by the server in order to recover the session key g^(ab). Communications between the first and second peer devices are encrypted and decrypted using the session key.

DETAILED DESCRIPTION

A number of cryptographic protocols that are in common use today involve secure exponentiation, such as raising a value to a large secret power. Such exponentiation, like other cryptographic operations, is typically performed as a modular operation, with a large modulus. Therefore, references to exponentiation and arithmetic operations in the present description and in the claims should generally be understood as referring to modular operations unless otherwise specified. The term “large,” as used herein in reference to moduli and other numerical values, means large enough to provide cryptographic security given available computing power. This criterion typically implies values of at least 1000 bits in present terms.

The modular exponentiation required by cryptographic protocols is “secure” in the sense that the secret value used in the computation is not revealed to untrusted parties. Specifically, it is typically practically infeasible to compute the secret value from the result of the modular exponentiation or other public values. To achieve the desired security, in most cases, the computational task is carried out within a secure element, which holds the secret value internally. Such exponentiation, however, requires a large number of multiplications of large numbers. This task is, therefore, computationally challenging for secure elements with limited computing power, such as a low-cost SIM or smart card without a hardware-based crypto-accelerator.

Some embodiments of the present disclosure that are described herein overcome this limitation by means of collaborative computation, in which the secure element delegates the exponentiation task to a computationally powerful but unsecure (and therefore untrusted) server. The term “server” is used in this context to refer broadly to any suitable computer that is external to the secure element and provides the requested computational services, ranging from a process running remotely on a cloud server, to a host CPU with sufficient power on a mobile phone in which a secure SIM is installed, to a powerful application-CPU within a chip that also has a secure execution environment or a secure CPU. When the delegation of the exponentiation task is properly carried out, the secret value itself is not revealed to the server and cannot practically be recovered from the data exchanged between the secure element and the server. At the same time, the computing power of the server is exploited in order to complete the exponentiation operation in far less time than would be required for the secure element to carry out the operation itself, notwithstanding the additional time required for encryption, communication, and decryption of the computational result.

The disclosed embodiments meet these objectives using techniques of homomorphic encryption based on polynomial functions, referred to herein as “polynomial homomorphic encryption.” Techniques of this sort are described in greater detail in the above-mentioned PCT publication WO 2014/016795, as well as in the Annex below. These techniques enable the secure element to encrypt and decrypt secret values using only a few arithmetic operations, while defining a homomorphic version of the exponentiation operation that can be applied efficiently to the parameters provided by the encryption. The encryption scheme is provably-secure when applied to plaintext values that have the form of large random numbers. The numbers are “random” in the sense that they are chosen arbitrarily in Z_(N), and there is no correlation between successive choices, where Z_(N) is the ring of residues modulo N, and N is factored by two primes, p and q.

On this basis, the embodiments of the present disclosure that are described herein provide methods for secure computation, in which a server (understood broadly, as defined above) receives a request over a communication channel from a device external to the server to perform a modular exponentiation operation. The server in this context is untrusted, while the external device is a secure element, which holds a secret value that is not provided to the server. Any one or more of the exponent, the base, and the result of the requested exponentiation operation may comprise such a secret value. Using polynomial homomorphic encryption, the device computes and provides to the server at least two parameters that encode the secret value. In response to the request, the server performs a homomorphic exponentiation using the parameters received from the device without decrypting the secret value, and thus generates an output that is indicative of the result of the modular exponentiation operation.

In some cases in which the exponent of the requested exponentiation operation is the secret value, while the result of the exponentiation need not be kept secret, the server may use the parameters provided by the secure device in computing and outputting the actual result of the exponentiation operation in plaintext. In other cases, the result that is output by the server comprises a pair of output values, which are then decrypted by the secure device using the appropriate polynomial homomorphic decryption key in order to recover the result of the exponentiation operation.

Typically, the polynomial homomorphic encryption scheme, as described in the above-mentioned PCT publication and in the Annex, uses two secret random large numbers as polynomial roots in encrypting plaintext values, and applies the corresponding polynomial in encoding each plaintext value in the form of two output parameters. The actual encoding scheme is explained further hereinbelow. In some embodiments, the server receives from the secure device, in addition to these two output parameters, additional parameters equal to the sum and product of the roots, and applies the sum and the product in computing the homomorphic exponentiation.

In some of the disclosed embodiments, the result of the modular exponentiation operation is a session key for use in encrypted communications between the device and a peer device. In such cases, the base of at least one of the modular exponentiation operations requested by the device typically comprises a public value that has been raised to a secret exponent held by the peer device.

As another example, when the Diffie-Hellman shared-key protocol is carried out in the conventional manner between peer devices of Alice and Bob, Alice's device passes to Bob's device a public value g raised to the power of Alice's secret, a, i.e., Alice's device passes the value of g^(a) mod N to Bob's device. Bob's device who has its secret, b, passes to Alice's device the value g^(b) mod N. Alice's device and Bob's device can each securely compute g^(ab) for use as a shared session key by raising the value each received (g^(b) or g^(a), respectively) to Alice's or Bob's own secret power (a or b, respectively).

In another embodiment of the present disclosure, on the other hand, when Alice's device has weak computational capabilities, Alice's device can instead use the present homomorphic encryption scheme to encrypt and pass its secret value a securely to the server. Alice's device also passes the value of g^(a) to Bob's device, along with certain “helping values” (as explained below). Bob's device passes its public value g^(b) to the server, along with a homomorphically-encrypted interim result based on the values that Alice's device has provided. The server uses the values provided by Alice's device and Bob's device to homomorphically exponentiate g^(b), and returns to Alice's device a pair of output values representing the session key g^(ab), which Alice's device can efficiently and securely decrypt using the homomorphic decryption key known only to Alice's device. Alice's device and Bob's device can then encrypt and decrypt subsequent communications between them using the session key.

FIG. 1 is a schematic, pictorial illustration of a cryptographic system 20, in accordance with an embodiment of the present disclosure. In the pictured embodiment, an untrusted server 22 performs homomorphic exponentiation on behalf of a secure client device 24. The server in this example may be a general-purpose computer, comprising a processor 30 and a memory 26, with an interface 28 for communicating with device 24. Interface 28 is pictured as comprising a wireless antenna, but other types of wireless and/or wired links may be provided alternatively or additionally as channels for communicating with clients. The server may also comprise a display and/or other peripheral components.

Typically, server 22 performs the functions that are described herein under the control of software. This software may be downloaded to the server in electronic form, over a network, for example. Alternatively or additionally, the software may be held on tangible, non-transitory computer-readable media, such as optical, magnetic, and/or electronic memory components.

Client device 24 in this example comprises a smart card, comprising a processor 32, a memory 34, and a communication interface 36, and possibly other components such as a display 38. As in the case of interface 28, interface 36 is shown in the figure as comprising a wireless antenna, so that server 22 communicates with device 24 over a wireless communication channel. Alternatively, the communication channel between server 22 and device 24 may comprise any other suitable sort of wireless or wired link, including internal buses, such as, in certain embodiments, internal links within an apparatus or even in a single chip that contains both device 24 and processor 30.

Processor 32 is typically programmed in software or firmware, which may be stored in memory 34, to carry out the functions that are described herein. Alternatively or additionally, processor 32 may comprise dedicated hardware logic for carrying out at least some of these functions. In view of the computational simplicity of the cryptographic methods performed by device 24, however, as described hereinbelow, it is generally unnecessary that device 24 comprise dedicated cryptographic accelerator circuits, as in some devices that are known in the art.

In some embodiments of the present disclosure, device 24 makes use of the exponentiation support provided by server 22 in carrying out encrypted communications with a peer device 40. Device 40 typically comprises a general-purpose or dedicated computer, comprising a software-driven processor 42 and a memory 44, along with a user interface 46, if required, and a communication interface 48.

In such embodiments, device 24 may make use of the services of server 22 in computing a secret session key under a secure key-exchange protocol, such as the Diffie-Hellman protocol mentioned above. In this context, server 22 uses information provided both by device 24 and by peer device 40. For this purpose, device 40 may communicate directly with server 22, or it may convey the necessary information to device 24, which passes the information to the server. For enhanced security, device 24 may also delegate certain homomorphic computations to peer device 40, as explained further hereinbelow with reference to FIG. 3. In the described embodiment, the communication channels between server 22, device 24, and peer device 40 are typically not secure.

For the sake of clarity and convenience, embodiments of the present disclosure are described hereinbelow by way of example with reference to the elements of system 20. The principles of the present disclosure are by no means limited to this sort of system, however, and may alternatively be implemented in substantially any sort of cryptographic environment, including both client-server and peer-to-peer applications, and including substantially any and all sorts of computing and cryptographic devices. Specifically, although server 22 is shown in FIG. 1 as a distinct physical machine, the functions of server 22 in the present embodiments may be carried out by substantially any suitable sort of computing machine, ranging, for example, from a virtual machine running on a cloud computer or cluster, to an unsecure processor contained in the same physical enclosure as device 24.

Polynomial Homomorphic Exponentiation

The following description will relate to encryption and exponentiation of a single numerical variable v, using a second-order public polynomial PP(v). The computations are typically mod N, wherein N is a public modulus, which may be derived as the product of two secret primes, p and q, N=p·q. Encryption schemes using higher-order polynomials may alternatively be used and are considered to be within the scope of the present disclosure. Further details are presented in the Annex. The Annex also describes a matrix based homomorphic method which may be used for homomorphic encryption and/or decryption as described herein.

To encrypt a secret value for exponentiation, Alice's device (device 24) selects two (mod N) secret, random, large numbers, v₁ and v₂, and computes the public polynomial:

PP(v)=(v−v ₁)·(v−v ₂)mod N=v ² +b·v+c

The plaintext value X_(i) can be encrypted using any linear function in the variable v of the form a_(i) ·v+d _(i) satisfying a_(i)·v₁+d_(i)=X_(i). The homomorphic encryption of X_(i), HE(X_(i)), is defined by the pair of parameters (a_(i),d_(i)). To encrypt X_(i) in this fashion, Alice's device selects a large-number (mod N) random value R_(i), sets a_(i)=R_(i), and finds d_(i) by solving the linear equation:

R _(i) ·v ₁ +d _(i) =X _(i) , i.e., d _(i) =X _(i) −R _(i) ·v ₁.

Thus, the ciphertext of X_(i) is the pair (a_(i),d_(i)).

To decrypt an encrypted variable (or a computed function of encrypted variables, as may be returned to Alice's device by server 22) that is represented by a pair (a,d), Alice's device need only compute the linear function a·v₁+d using the secret root v₁.

Homomorphic multiplication of encrypted values of the form HE(X_(i))=(a_(i),d_(i)) by server 22 requires that the server also receive from Alice's device and make use of the polynomial coefficients derived above:

b=−(v ₁ +v ₂)≡−T _(v)

c=v ₁ ·v ₂ ≡P _(v)

Server 22 performs homomorphic multiplication of two encrypted values HE(X₁) and HE(X₂) by computing the following sum of products:

HE(X ₁)·HE(X ₂)=((a ₁ +d ₁)·(a ₂ +d ₂)−a ₁ ·a ₂·(1+b)−d ₁ ·d ₂,(d ₁ ·d ₂ −a ₁ —a ₂ ·c))

The above form utilizes five multiplications for each product computed. For squaring, the number of multiplications may be reduced to four using the following formula:

(HE(X ₁))²=(a ₁·(2d ₁ −b·a ₁),(d ₁ +√{square root over (c)}·a ₁)·(d ₁ −√{square root over (c)}·a ₁))

Server 22 performs homomorphic exponentiation of HE(X_(i)) by repeated squaring and multiplication operations, using the values a_(i) and d_(i), along with other public “helping values,” such as T_(v) and P_(v), that are provided by device 24. Considering the simplicity of the homomorphic encryption and decryption operations that are left for device 24 to perform, the computational load imposed on device 24 by an exponentiation of this sort with a large base and large exponent is typically reduced by over 98% when the exponentiation is offloaded to server 22, by comparison with internal exponentiation by device 24 itself.

FIG. 2 is a flow chart that schematically illustrates a method for secure exponentiation using homomorphic encryption, in accordance with an embodiment of the present disclosure. The method will first be presented generally, followed by more specific descriptions of three possible use cases.

To initiate a server-assisted exponentiation, Alice's device (device 24) computes the homomorphic encryption of a secret value that is to be used in the operation, at an encryption step 50. The secret value S may be either the base or the exponent, as illustrated in the use cases that follow. The encryption of S is the pair of parameters (a_(S),d_(S)), as defined above, which is expressed for each specific S in terms of the parameter values (Rs,Us).

Alice's device sends an exponentiation request to server 24, at a request step 52. The request includes the encrypted secret (Rs,Us), along with certain public helping values that are required for the particular configuration of the request (depending, for example, on whether the base or the exponent is secret, and whether the exponentiation result will be returned in encrypted or plaintext form). The server performs the exponentiation, using homomorphic squaring and multiplication functions, at a computation step 54. Because the encryption is homomorphic, the server need not decrypt the secret value in order to perform the computation, nor is the server practically able to decrypt the secret value.

After completing the computation, server 24 returns the result to Alice's device, at a return step 56. As noted above, depending on the configuration of the request made at step 52, the result may be either plaintext or homomorphically encrypted. In the latter case, Alice's device applies homomorphic decryption to the pair of parameters returned by the server in order to recover the actual result, at a decryption step 58.

The following two use cases illustrate applications of the method of FIG. 2 in two configurations:

1. Secret exponent S, public base g and result g^(s)

For this computation, Alice's device provides the server with the pair of encryption parameters HE(S)≡S*=(Rs,Us), along with g and the preliminary exponentiation value g^(v1). Assuming that both g and v1 are known to Alice's device well in advance, Alice's device may precompute or otherwise receive the value of g^(v1) securely, and may store it in memory 34 for subsequent use. Using the values provided by Alice's device, the server computes the product of two scalar exponentiations: g^(S)=g^(Us)(g^(v1))^(Rs) mod N and returns the plaintext result to Alice's device. This sort of computation is useful, for example, in supporting DSA encryption, for which g^(k) is computed with a secret k.

2. Public Base g, Secret Exponent S and Result g^(s)

To maintain security in this more challenging case, Alice's device uses two different polynomials for homomorphic encryption of different secret values: S is encrypted using a first polynomial with secret roots (v₁,v₂), while the preliminary exponentiation value g^(v1) is encrypted using a second polynomial with secret roots (w₁,w₂). Encryption of S and g^(v1) using the respective polynomials gives the results: HE(S)≡S*=(Rs,Us) and HE(g^(v1))≡G*=(R_(G),U_(G)). Alice's device passes these pairs of parameters to the server, along with the public base g and the sum and product values Tw and Pw of the second polynomial.

The server uses the encryption parameters and helping values in computing the product of a scalar exponentiation and a homomorphic exponentiation HE(g^(S))=g^(Us)(G*)^(Rs) mod N and returns the result to Alice's device. Alice's device uses the secret root w₁ to homomorphically decrypt HE(g^(S)) and thus recover the secret result g^(S).

The next section describes an application of the above principles in a three-way exchange of secret values, with secure exponentiation performed by two of the parties.

Server-Assisted Secure Key Exchange

FIG. 3 is a communication flow diagram that schematically illustrates a method for cryptographic key exchange using, in part, homomorphic encryption, in accordance with an embodiment of the present disclosure. As in the case of the preceding embodiments, the method will be described, for the sake of convenience and clarity, with reference to the elements of system 20, referring to device 24 alternatively as “Alice,” or “Alice's device” and peer device 40 as “Bob” or “Bob's device.” Device 40 is assumed to be a trusted device with sufficient computing power to perform its own part in the key exchange protocol without assistance. Device 24 is assisted in performing exponentiation by untrusted server 22, and may also delegate certain homomorphic computations to peer device 40, as described below. Server 22 in this case is “untrusted” in the sense that the server assists device 24 in exponentiation without receiving the actual secret exponent, although the server may still be trusted to receive and hold certain encryption parameters in confidence, as explained below. The homomorphic computations performed by Bob's device are important in supporting the role played by the server in exponentiation assistance.

The description below relates, for the sake of concreteness, to a particular implementation of the Diffie-Hellman key exchange protocol. The principles of server-assisted key exchange that are described herein (and more generally, the principles of server-assisted exponentiation), however, are not limited to this particular implementation, protocol, or system environment. In addition, although the method is described hereinbelow in terms of certain steps performed sequentially, in practice at least some of these steps may be performed concurrently or in a different sequential order. Furthermore, although the computational tasks in the present description are distributed among the parties (Alice's device, Bob's device, and the server) in a certain way, the techniques of server-aided exponentiation that are described above may be applied in other ways to support Diffie-Hellman and other key-exchange protocols. All of these alternative system and method implementations of the present principles are considered to be within the scope of the present disclosure

To begin the key exchange process of FIG. 3, Alice's device chooses and/or precomputes a number of secret values to be used in the protocol, at a pre-computation step 60. At this step, Alice's device pre-computes two key pairs: (t, g^(t)) and (v, g^(v)), wherein g is the public base and t and v are secrets. Techniques that may be used to perform this pre-computation securely, but with minimal expenditure of computation resources, are described hereinbelow with reference to FIG. 4. In addition, Alice's device chooses a number of large random values for use in the subsequent computations, including the secret exponent a, a pair of secret roots (w₁, w₂), and encryption parameters R_(a), R′_(a), and R_(G). Alice's device uses these parameters in a number of simple preparatory computations, including the following:

-   -   Alice's device uses R_(a) and v to encrypt a, giving the         encryption parameters (R_(a), U_(a)), wherein U_(a)=a−vR.     -   Similarly, Alice's device uses R′_(a) and t to perform another         encryption of a, giving the encryption parameters         (R′_(a),U′_(a)), wherein U′_(a)=a−tR′_(a).     -   Alice's device uses R_(G) and the secret roots (w₁, w₂) to         homomorphically encrypt the key value g^(v), giving the         parameters of HE(g^(v))≡G*=(R_(G), U_(G)), wherein         U_(G)=g^(v)−w₁R_(G).     -   Alice's device computes the public helping values T_(w)=w₁+w₂         and P_(w)=w₁·w₂.     -   Alice's device encrypts the parameter Ra using the public key e         of server 22 in an asymmetric encryption algorithm, such as RSA,         to give the encrypted value Ra*=(Ra^(e))mod N*. Here N* is a         large public modulus, while e has a small value to enable         Alice's device to perform the computation quickly, for example         e=3.

The variables in the above formulation may be of any suitable size. For example, in a typical implementation, a, N and N* are 1024 bit numbers; v and t are each 160 bits; and R_(a) and R′_(a) are each (N−160) bits. R_(G), w₁ and w₂ are in Z_(N).

Alice's device transmits the pair of encryption parameters (R′_(a),U′_(a)) and the key value g^(t) to server 22, at an initial transmission step 62. Server 22 uses these values in computing Alice's public key g^(a) for purposes of the key exchange protocol, at a public key computation step 64:

g ^(a)=(g ^(t))^(Rra) ·g ^(Ura) mod N

Server 22 transmits the value g^(a) to both Alice's device and Bob's device, at a public key transmission step 66. Alternatively, server 22 may transmit the value g^(a) to Alice's device, and Alice's device then transmits it to Bob's device. For purposes of the protocol, Alice's device also transmits the parameters of G* to Bob's device, along with the helping sum and product values T_(w) and P_(w) (as defined above), at a peer transmission step 68.

Bob's device chooses its own secret exponent b, and uses this value together with the public base g and modulus N to compute the public key g^(b) mod N, at a peer pre-computation step 70. Bob's device uses the parameters received in steps 66 and 68 to compute the homomorphic exponentiation (G*)^(b) mod N, as well as the secret session key g^(ab) mod N, at a peer computation step 72. In cryptographic terms, (G*)^(b) mod N=HE(g^(bv)) Bob's device returns the public values g^(b) and (G*)^(b) mod N to server 22, at a parameter return step 74. Alternatively, Bob's device may pass these values directly to Alice's device, who then forwards them to server 22. For the purposes of the next computation by server 22, Alice's device also passes the encryption parameters R_(a)* (i.e., the RSA-encrypted value of R_(a)) and U_(a) and the helping values T_(w) and P_(w) to the server, at a supplemental transmission step 76.

Server 22 uses these values to perform the exponentiation operations needed to compute the homomorphic encryption of the secret session key, HE(g^(ab)), at an exponentiation step 78. For this purpose, the server first decrypts the value R_(a)* to recover the original encryption parameter R_(a)=(R_(a) ^(e))^(d) mod N*, using the server's private RSA key d. As noted earlier, e and N* are the public key and modulus, respectively, of the server. Server 22 then uses the helping values received at step 76 to compute HE(g^(ab)) as follows by homomorphic exponentiation, using the parameters R_(a) and U_(a) and the public value g^(b), without access to or decryption of any of the secret values involved:

HE(g ^(ab))=(g ^(b))^(Ua)·[HE(g ^(bv))]^(Ra) mod N

Server 22 conveys this result, which comprises the pair of parameters that homomorphically encrypt the secret session key, g^(ab), back to Alice's device, at a result transmission step 80. Alice's device then applies the simple arithmetic operations of polynomial homomorphic decryption, as described above, to recover the session key: HD(HE(g^(ab)))mod N=g^(ab), at a key recovery step 82. Alice's device and Bob's device are now able to encrypt and decrypt communications between them using this session key, generally without requiring further assistance from the server.

FIG. 4 is a flow chart that schematically illustrates a method for key pair computation, which can be used by device 24 (Alice's device) in performing the pre-computation functions included in the pre-computation step 60, in accordance with an embodiment of the disclosure. For the purposes of pre-computation step 60, the values of g^(t) and g^(v), corresponding to the value g raised to the secret exponents t and v, respectively, may be pre-computed offline and stored by Alice's device for subsequent use. Alternatively, to provide Alice's device with a large choice of values of t and v while avoiding the need for full on-line computation of g^(t) and g^(v), Alice's device may acquire the values of x and g^(x) (x=t or v) for each key exchange using pre-computed table containing T pairs of component values of the form (X_(j), g^(X) ^(j) mod N), which are stored in memory 34 of device 24 in a table storage step 90. For example, the table may contain 256 pairs of values, in which the exponent X_(j) in each pair is approximately 160 bits long.

To compute the key pair (x, g^(x)), Alice's device randomly selects a set of L indices, j₁, j₂, . . . j_(L) (for example, with L=11), at a pair selection step 92. The number of indices is small compared to the number of pairs in the table. Using the selected L pairs of component values (X_(j), g^(X) ^(j) mod N), Alice's device then computes t and g^(t) as follows, at a key pair selection step 94:

t=Σ _(k=1) ^(L) x _(j) _(k) mod N, g ^(t)=Π_(k=1) ^(L) g ^(x) ^(jk) mod N.

The secret values v and g^(v) are similarly computed from the table using another set of L random values of j₁, j₂, . . . j_(L), to give:

g ^(v)=Π_(k=1) ^(L) g ^(x) ^(jk) mod N, v=Σ _(k=1) ^(L) x _(j) _(k) mod N.

If Alice's device does not have sufficient secure internal memory to store the table of T pairs of component values, the table may be encrypted and stored externally, and then streamed to Alice's device for random selection of L pairs when needed. Alternatively, other methods may be used in generating the above values securely, such as the methods described by de Rooij, in “Efficient Exponentiation Using Precomputation and Vector Addition Chains,” Advances in Cryptology—EUROCRYPT '94 (Lecture Notes in Computer Science 950, Springer-Verlag, 1995), pages 389-399.

Although the method of FIG. 4 is described above in the specific context of Diffie-Hellman key exchange, the use of pre-stored pairs of component values of the form (X_(j), g^(X) ^(j) mod N) in generating a large secret value and its exponent by summation and multiplication, as described above, is by no means limited to this specific context. Rather, this technique can be applied in other settings in which a device with weak computational capabilities is required to generate a large secret value and its exponent, such as in the methods for secure exponentiation that are described above with reference to FIG. 2.

It is appreciated that software components may, if desired, be implemented in ROM (read only memory) form. The software components may, generally, be implemented in hardware, if desired, using conventional techniques. It is further appreciated that the software components may be instantiated, for example: as a computer program product or on a tangible medium. In some cases, it may be possible to instantiate the software components as a signal interpretable by an appropriate computer, although such an instantiation may be excluded in certain embodiments of the present disclosure.

It will be appreciated that various features of the disclosure which are, for clarity, described in the contexts of separate embodiments may also be provided in combination in a single embodiment. Conversely, various features of the disclosure which are, for brevity, described in the context of a single embodiment may also be provided separately or in any suitable sub-combination.

It will be appreciated by persons skilled in the art that the present disclosure is not limited by what has been particularly shown and described hereinabove. Rather the scope of the disclosure is defined by the appended claims and equivalents thereof.

ANNEX The Methods: Practical FSERFs Simplified (Single Input)

Each of the isomorphic methods presented is an efficient non-deterministic Fully-homomorphic Symmetric Encryption and Randomization Function (FSERF). The input or message, IN, is comprised of k elements in a commutative ring (CR) or in ring Z_(N). Randomization is defined over a general commutative ring (CR), e.g., F₂₅₆, R (real numbers), or sub ring of commutative matrices. Encryption is defined over the ring Z_(N) (the operations are typically mod N, where N is a product of two (large secret) primes). The non-deterministic method operates on an input and a random parameter (in Z_(N) or CR); the random parameter typically changes per each execution of the method. For encryption both the plaintext input and the random parameter associated with it are random large-numbers in Z_(N).

Two fundamental isomorphic methods are defined below; each randomizes or encrypts a single input element X_(i). The basic (isomorphic) methods are a matrix-based method, MORE (Matrix Operation for Randomization or Encryption), and a polynomial-based method, PORE (Polynomial Operation for Randomization or Encryption). Additionally, ‘compound’ methods can be constructed by successively applying the basic methods.

The Matrix Method, MORE

Symmetric-Key Generation: Alice's device randomly selects a secret 2×2 invertible matrix, S, in Z_(N) to be the symmetric key for encryption.

Encryption: For each plaintext input element X_(i) Alice's device selects a random large-number Y_(i), in Z_(N). X_(i) and Y_(i) are placed in order on the diagonal of a 2×2 diagonal matrix. We denote MORE's output matrix as Ai and define the encryption of X_(i) as:

${{MORE}\left( X_{i} \right)} = {A_{i} = {{{S\begin{pmatrix} X_{i} & 0 \\ 0 & Y_{i} \end{pmatrix}}S^{- 1}} = \begin{pmatrix} a_{11} & a_{12} \\ a_{21} & a_{22} \end{pmatrix}}}$

The cipher text of X_(i) can be regarded as the four values given in matrix Ai. However an alternative economical representation is possible. For a given S, MORE's matrix space is defined by two large numbers, and the cipher text of a Xi is defined by any pair of large numbers in A_(i) except for a₁₂, a₂₁.

Decryption: One who knows S can decrypt the cipher text matrix A and recover a plaintext X. S and S⁻¹ are eliminated by simple matrix multiplication,

X=(S ⁻¹ AS)₁₁.

Alternatively, let the vector (1, e) be an eigenvector of the matrix

$A = {{S\begin{pmatrix} X & 0 \\ 0 & Y \end{pmatrix}}S^{- 1}}$

satisfying: (1, e)A=(X, e·X).

The decryption of A is defined as follows:

X=a₁₁+e·a₂₁ (Mod N) where e=(−S₁₂/S₂₂)mod N, and S_(ij), a_(ij) a are the ij elements of matrices S and A, respectively.

Computation of Multivariate Function of Encrypted Values

We define below the operations of addition, multiplication and division of encrypted values. We let A1 and A2 be the encrypted values of X₁ and X₂, respectively. The Ai's comprise the input of a function in which they are added, multiplied, or divided. We thus have for:

Addition, MORE (X₁)+MORE (X₂)=A₁+A₂; and

Multiplication, MORE (X₁)·MORE (X₂)=A₁·A₂; and

Division (for Det MORE(X2)≠0)

1/MORE (X₂)=A₂ ⁻¹ and MORE (X₁)/MORE (X₂)=A₁·A₂ ⁻¹; It can be easily shown that under the above definitions MORE is fully homomorphic.

The Polynomial Method, PORE

Again, the simplest yet useful case to consider is a single variable encryption with the minimum degree of the public polynomial.

Symmetric-Key Generation: Alice's device selects two (mod N) secret random large-numbers, v₁ and v₂, for the symmetric-key. Alice's device computes the public polynomial PP(v)=(v−v₁)·(v−v₂)mod N=v²+b·v+c.

Encryption: Encryption of plain text X_(i), Enc (Xi), is any linear function in variable v of the form a_(i)·v+d_(i) satisfying a_(i)·v₁+d_(i)=X_(i). Let the pair (a_(i), d_(i)) define Enc (Xi). Alice's device selects a large-number mod N random R_(i), for a_(i) and solves the linear equation R_(i)·v₁+d_(i)=X_(i) for d_(i); thus d_(i)=X_(i)−R_(i)·v₁. The cipher text of Xi, consists of the pair (a_(i), d_(i)). Alternatively, Alice's device can pick a random large-number mod N, R_(i), for the given X_(i) and solve the simultaneous equations below for the unknowns a_(i) and d_(i):

a _(i) ·v _(i) +d _(i) =X _(i),  a. and

a _(i) ·v ₂ +d _(i) =R _(i)  b.

resulting in: a_(i)=(X_(i)−R_(i))/(v1−v2), and d_(i)=X_(i)−a_(i)·v₁=(R_(i)·v₁−X_(i)·v₂)/(v₁−v₂). This alternative, (computationally heavier), is useful in certain applications of verification.

Decryption: Given that an encrypted variable, (or a computed function of encrypted variables) is represented by a pair (a,d), anyone who knows the secret roots can decrypt by simply computing a·v₁+d.

Computation of multivariate function: For Bob's device to compute a function with the encrypted Xi, the public coefficients, b and c, (defined above under key generation) are used; note that b and c do not change for encryption of different variables; they are given typically once (per some predefined period) by Alice's device to Bob's device. We also note that typically one large-number multiplication is used for encryption. When computing multivariate functions with the encrypted variables we consider the addition, multiplication and division of two variables. Addition and multiplication of encrypted values are defined by the addition and multiplication, respectively, of the corresponding linear functions in Z_(N)[v]/PP(v). Given PORE(X₁)=(a₁, d₁), PORE(X₂)=(a₂, d₂) and PP(v)=v²+bv+c, addition, multiplication and division are performed as below.

Addition: PORE(X₁)+PORE(X₂)=(a₁+a₂, d₁+d₂).

Adding a scalar S to PORE(X₁): S+PORE(X₁)=(a₁, d₁+S).

Multiplication: PORE(X₁)·PORE(X₂)=((a₁+d₁)·(a₂+d₂)−a₁·a₂·(1+b)−d₁·d₂, (d₁·d₂−a₁·a₂·c)). This particular form aims at minimizing the number of multiplications of large numbers, i.e. five. Note, for squaring a variable, use above with X₁=X₂ and (a₁=a₂, d₁=d₂). Multiplying PORE(X₁) by a scalar S: S·PORE(X₁)=(S·a₁, S·d₁)

Division: Let D=d₂·(a₂·b−d₂)−(c·a₂)·a₂, PORE(X₁)/PORE(X₂)=(a₂·d₁−a₁·d₂)/D, (d₁·(a₂·b−d₂)−(c·a₂)·a₁)/D). It can be shown easily that, under the above definitions, the PORE scheme is fully homomorphic.

MORE and PORE are Isomorphic

Given the above definitions of MORE and PORE where operations under MORE are over the commutative ring C1={SMS⁻¹|M a diagonal matrix comprised of X and Y}, and operations under PORE are in the commutative ring C2=Z_(N)[v] mod PP(v), it can be shown that: 1. The mapping T: C1→C2 defined by T(SMS⁻¹)=av+d where av₁+d=X and av₂+d=Y is an isomorphism; and 2. For a given element in C1 finding its isomorphic image by someone who knows PP(v) is as difficult as factoring N. 

1. A method for secure key exchange between first and second peer devices, the first and second peer devices respectively holding a first secret value a and a second secret value b, the method comprising: computing in the first peer device an encryption of the first secret value a so as to generate encryption parameters that encode the first secret value; conveying the encryption parameters over a communication channel to a server which does not have access to either of the first and second secret values a and b; computing and conveying to the second peer device a first base value g^(a) equal to a public value g raised to a first power equal to the first secret value a, such that the first base value is raised by the second peer device to a second power equal to the second secret value b in order to generate a session key g^(ab); receiving in the server a second base value g^(b) computed by the second peer device by raising the public value g to the second power; computing a homomorphic exponentiation in the server using the encryption parameters and the second base value g^(b), so as to generate an output HE(g^(ab)) that is indicative of the session key; conveying the output from the server to the first peer device over the communication channel; applying in the first peer device a polynomial or matrix homomorphic decryption to the output conveyed by the server in order to recover the session key g^(ab); and encrypting and decrypting communications between the first and second peer devices using the session key.
 2. The method according to claim 1, wherein the server computes the homomorphic exponentiation without decrypting either of the first and second secret values.
 3. The method according to claim 1, and comprising: applying a polynomial or matrix homomorphic encryption in the first peer device to a third base value g^(v), which is equal to the public value g raised to a secret exponent v, thereby generating further parameters (R_(G),U_(G)) that encode the third base value; and conveying, from the first peer to the second peer, the further parameters (R_(G),U_(G)), which are applied by the second peer device in calculating the homomorphic exponentiation HE(g^(bv)) of the third base value raised to the second power, wherein computing the homomorphic exponentiation in the server comprises applying the homomorphic exponentiation of the third base value raised to the second power HE(g^(bv)) together with the encryption parameters and the second base value g^(b) in generating the output.
 4. The method according to claim 1, wherein computing the first base value g^(a) comprises computing the first base value in the server using the encryption parameters computed and conveyed by the first peer device.
 5. The method according to claim 4, wherein computing the encryption in the first peer device comprises generating the encryption parameters R′_(a), U′_(a) and g^(t) for use by the server in computing g^(a), such that U′_(a)=a−tR′_(a).
 6. The method according to claim 1, wherein computing the encryption in the first peer device comprises computing a key pair (x, g^(x)), wherein x is a secret value, by storing a plurality of pairs of component values (X_(j), g^(X) ^(j) mod N), selecting a subset of the pairs, and computing x as a sum of the values X_(j) over the subset, and g^(x) as a product of the values g^(X) ^(j) mod N over the subset.
 7. An apparatus, comprising: a communication interface, which is configured to receive, over a communication channel from a device external to the apparatus: a request to perform a modular exponentiation operation in which an exponent of the operation comprises a secret value, wherein the secret value is not provided to the server; and at least two parameters that encode the secret value in accordance with a polynomial or matrix homomorphic encryption of the secret value computed by the device; and a processor, which is configured to perform, in response to the request, a homomorphic exponentiation using the at least parameters received from the device without decrypting the secret value in the apparatus, so as to generate an output that is indicative of a result of the modular exponentiation operation.
 8. The apparatus according to claim 7, wherein the output comprises the result of the modular exponentiation operation in plaintext.
 9. The apparatus according to claim 7, wherein the output comprises a pair of output values, the pair of output values being decrypted by the device using a polynomial or matrix homomorphic decryption to recover the result of the modular exponentiation operation.
 10. The apparatus according to claim 9, wherein the polynomial homomorphic encryption uses two secret random large numbers as polynomial roots in computing the at least two parameters, and wherein the communication interface further receives from the device a sum and a product of the roots, and wherein the processor is configured to apply the sum and the product in computing the modular homomorphic exponentiation.
 11. The apparatus according to claim 9, wherein the result of the modular exponentiation operation is a session key for use in encrypted communications between the device and a peer device, and wherein a base of the modular exponentiation operation requested by the device comprises a public value raised to a secret exponent held by the peer device.
 12. A system for secure key exchange, the system comprising: first and second peer devices, the first and second peer devices respectively holding a first secret value a and a second secret value b; and a server which does not have access to either of the first and second secret values a and b, wherein the first peer device is configured to compute an encryption of the first secret value a so as to generate encryption parameters that encode the first secret value and to convey the encryption parameters over a communication channel to a server, and wherein the second peer device is configured to receive a first base value g^(a) equal to a public value g raised to a first power equal to the first secret value a, and wherein the second peer device is configured to raise the first base value to a second power equal to the second secret value b in order to generate a session key g^(ab), and to compute a second base value g^(b) by raising the public value g to the second power and to provide the second base value to the server, and wherein the server is configured to compute a homomorphic exponentiation using the encryption parameters and the second base value g^(b), so as to generate an output HE(g^(ab)) that is indicative of the session key and to convey the output to the first peer device over the communication channel, and wherein the first peer device is configured to apply a polynomial or matrix homomorphic decryption to the output conveyed by the server in order to recover the session key g^(ab) and to encrypt and decrypt communications with the second peer device using the session key.
 13. The system according to claim 12, wherein the server is configured to compute the homomorphic exponentiation without decrypting either of the first and second secret values.
 14. The system according to claim 12, wherein the first peer device is configured to apply the polynomial or matrix homomorphic encryption to a third base value g^(v), which is equal to the public value g raised to a secret exponent v, thereby generating further parameters (R_(G),U_(G)) that encode the third base value, and to convey the further parameters to the second peer, and wherein the second peer is configured to apply the further parameters (R_(G),U_(G)) in calculating the homomorphic exponentiation HE(g^(bv)) of the third base value raised to the second power, and wherein the server is configured to apply the homomorphic exponentiation of the third base value raised to the second power HE(g^(bv)) together with the encryption parameters and the second base value g^(b) in generating the output.
 15. The system according to claim 12, wherein the server is configured to compute the first base value using the encryption parameters computed and conveyed by the first peer device.
 16. The system according to claim 15, wherein the encryption parameters computed by the first peer device and conveyed to the server comprise R′_(a), U′_(a) and g^(t), such that U′_(a)=a−tR′_(a).
 17. The system according to claim 12, wherein the first peer device is configured to compute a key pair (x, g^(x)), wherein x is a secret value, by storing a plurality of pairs of component values (X_(j), g^(X) ^(j) mod N), selecting a subset of the pairs, and computing x as a sum of the values X_(j) over the subset, and g^(x) as a product of the values g^(X) ^(j) mod N over the subset. 